Running utilities in REXX

Scott Goodell

Running utilities in REXX
I'm trying to run the runstats utility from a REXX exec on DB2 MVS by calling
DSNUTILB.

I keep getting the reason code 00E40002, which indicates an APF auth problem.
I don't have any other libraries in my steplib than I do if I just run a
plain runstats through DSNUTILB. I suspect our system is setup somehow to
not allow any TSO (IKJEFT01) program run authorized. Has anyone tried
this with any success or do you have any suggestions to try?



Thanks

Scott



Venkat (PCA) Pillay

Re: Running utilities in REXX
(in response to Scott Goodell)
How are you passing parameters to DSNUTILB ? The problem is when you link to
program from REXX, the MVS linkage convention is not followed. You need to
have another program "in between" which loads the correct address to
Register 1 before calling DSNUTILB. Following are macros ,which will help
you mapping ('SYS1.MACLIB') -

IRXEFPL
IRXARGTB
IRXEVALB

Regards
Venkat Pillay
> -----Original Message-----
> From: Scott Goodell [SMTP:[login to unmask email]
> Sent: Tuesday, December 21, 1999 10:51 AM
> To: [login to unmask email]
> Subject: Running utilities in REXX
>
> I'm trying to run the runstats utility from a REXX exec on DB2 MVS by
> calling
> DSNUTILB.
>
> I keep getting the reason code 00E40002, which indicates an APF auth
> problem.
> I don't have any other libraries in my steplib than I do if I just
> run a
> plain runstats through DSNUTILB. I suspect our system is setup
> somehow to
> not allow any TSO (IKJEFT01) program run authorized. Has anyone
> tried
> this with any success or do you have any suggestions to try?
>
>
>
> Thanks
>
> Scott
>
>
>
>
>



Harvey Wachtel

Re: Running utilities in REXX
(in response to Venkat (PCA) Pillay)
If you invoke an APF-authorized module through LINKMVS or ATTACHMVS, it
will be run in an ordinary unauthorized environment and will be unable to
perform any authorized functions. This is the same thing that would happen
if you wrote an unauthorized assembler program and coded LINK EP=DSNUTILB
or ATTACH EP=DSNUTILB. The APF authorization of the environment is
established at the time the job-step program is invoked, based on the
jobstep program's authorization level in the load library directory and on
the kashruth of the concatenation from which it is fetched.

Some authorized programs (IEBCOPY and AMASPZAP to name two I know of) can
perform some of their functions without authorization. Others assume
authorization, plunge ahead, and soon die, usually on an ABENDS047 trying
to execute the MODESET SVC.

The only way I know of to create an authorized subenvironment in an
unauthorized jobstep is through the TSO TMP (IKJEFT01 and alii) or through
the TSO Service Facility Routine (IKJEFTSR), which create a separate job
step control block within the region. If the program you want to invoke is
in (or can be added to) the list of authorized programs callable from TSO,
you should be able to call it this way.

In summary, "ADDRESS LINKMVS 'DSNUTILB'" will result in unauthorized
execuiton. "ADDRESS TSO 'CALL ''<library name>(DSNUTILB)''', if properly
set up by your sysprogs, authorized. That's how we call IEBCOPY if we need
it to be authorized (as it must be to condense a PDS).



Scott Goodell
<Scott.E.Goodell To: [login to unmask email]
@WCOM.COM> cc:
Sent by: DB2 Subject: Running utilities in REXX
Data Base
Discussion List
<[login to unmask email]>


1999-12-21 10:51
Please respond
to DB2 Data Base
Discussion List





I'm trying to run the runstats utility from a REXX exec on DB2 MVS by
calling
DSNUTILB.

I keep getting the reason code 00E40002, which indicates an APF auth
problem.
I don't have any other libraries in my steplib than I do if I just
run a
plain runstats through DSNUTILB. I suspect our system is setup
somehow to
not allow any TSO (IKJEFT01) program run authorized. Has anyone
tried
this with any success or do you have any suggestions to try?



Thanks

Scott








Venkat (PCA) Pillay

Re: Running utilities in REXX
(in response to Harvey Wachtel)
I always thought DSNUTILB does not need to e APF-authorized. I ran it couple
of times thinking the steplib was not APF authorized.

I just want to confirm this - Are you sure DSNUTILB needs to be APF
authorized module ? (in that case may be my libraries were APF authorized
!!)
> -----Original Message-----
> From: Harvey Wachtel [SMTP:[login to unmask email]
> Sent: Tuesday, December 21, 1999 7:24 PM
> To: [login to unmask email]
> Subject: Re: Running utilities in REXX
>
> If you invoke an APF-authorized module through LINKMVS or ATTACHMVS, it
> will be run in an ordinary unauthorized environment and will be unable to
> perform any authorized functions. This is the same thing that would
> happen
> if you wrote an unauthorized assembler program and coded LINK EP=DSNUTILB
> or ATTACH EP=DSNUTILB. The APF authorization of the environment is
> established at the time the job-step program is invoked, based on the
> jobstep program's authorization level in the load library directory and on
> the kashruth of the concatenation from which it is fetched.
>
> Some authorized programs (IEBCOPY and AMASPZAP to name two I know of) can
> perform some of their functions without authorization. Others assume
> authorization, plunge ahead, and soon die, usually on an ABENDS047 trying
> to execute the MODESET SVC.
>
> The only way I know of to create an authorized subenvironment in an
> unauthorized jobstep is through the TSO TMP (IKJEFT01 and alii) or through
> the TSO Service Facility Routine (IKJEFTSR), which create a separate job
> step control block within the region. If the program you want to invoke
> is
> in (or can be added to) the list of authorized programs callable from TSO,
> you should be able to call it this way.
>
> In summary, "ADDRESS LINKMVS 'DSNUTILB'" will result in unauthorized
> execuiton. "ADDRESS TSO 'CALL ''<library name>(DSNUTILB)''', if properly
> set up by your sysprogs, authorized. That's how we call IEBCOPY if we
> need
> it to be authorized (as it must be to condense a PDS).
>
>
>
> Scott Goodell
> <Scott.E.Goodell To: [login to unmask email]
> @WCOM.COM> cc:
> Sent by: DB2 Subject: Running utilities
> in REXX
> Data Base
> Discussion List
> <[login to unmask email]>
>
>
> 1999-12-21 10:51
> Please respond
> to DB2 Data Base
> Discussion List
>
>
>
>
>
> I'm trying to run the runstats utility from a REXX exec on DB2 MVS by
> calling
> DSNUTILB.
>
> I keep getting the reason code 00E40002, which indicates an APF auth
> problem.
> I don't have any other libraries in my steplib than I do if I just
> run a
> plain runstats through DSNUTILB. I suspect our system is setup
> somehow to
> not allow any TSO (IKJEFT01) program run authorized. Has anyone
> tried
> this with any success or do you have any suggestions to try?
>
>
>
> Thanks
>
> Scott
>
>
>
>
>
>
>
>
>
>



Scott Goodell

Re: Running utilities in REXX
(in response to Venkat (PCA) Pillay)
Thanks Harvey, I knew DSNUTILB needed to be authorized but I was not aware of
the additional information you provided. I'll look into trying your
suggestions.

Scott





Harvey Wachtel <[login to unmask email]> on 12/21/99 06:23:33 PM

Please respond to DB2 Data Base Discussion List <[login to unmask email]>

To: [login to unmask email]
cc: (bcc: Scott Goodell/CDR/BSM/MCI)
Subject: Re: Running utilities in REXX



If you invoke an APF-authorized module through LINKMVS or ATTACHMVS, it
will be run in an ordinary unauthorized environment and will be unable to
perform any authorized functions. This is the same thing that would happen
if you wrote an unauthorized assembler program and coded LINK EP=DSNUTILB
or ATTACH EP=DSNUTILB. The APF authorization of the environment is
established at the time the job-step program is invoked, based on the
jobstep program's authorization level in the load library directory and on
the kashruth of the concatenation from which it is fetched.

Some authorized programs (IEBCOPY and AMASPZAP to name two I know of) can
perform some of their functions without authorization. Others assume
authorization, plunge ahead, and soon die, usually on an ABENDS047 trying
to execute the MODESET SVC.

The only way I know of to create an authorized subenvironment in an
unauthorized jobstep is through the TSO TMP (IKJEFT01 and alii) or through
the TSO Service Facility Routine (IKJEFTSR), which create a separate job
step control block within the region. If the program you want to invoke is
in (or can be added to) the list of authorized programs callable from TSO,
you should be able to call it this way.

In summary, "ADDRESS LINKMVS 'DSNUTILB'" will result in unauthorized
execuiton. "ADDRESS TSO 'CALL ''<library name>(DSNUTILB)''', if properly
set up by your sysprogs, authorized. That's how we call IEBCOPY if we need
it to be authorized (as it must be to condense a PDS).



Scott Goodell
<Scott.E.Goodell To: [login to unmask email]
@WCOM.COM> cc:
Sent by: DB2 Subject: Running utilities in
REXX
Data Base
Discussion List
<[login to unmask email]>


1999-12-21 10:51
Please respond
to DB2 Data Base
Discussion List





I'm trying to run the runstats utility from a REXX exec on DB2 MVS by
calling
DSNUTILB.

I keep getting the reason code 00E40002, which indicates an APF auth
problem.
I don't have any other libraries in my steplib than I do if I just
run a
plain runstats through DSNUTILB. I suspect our system is setup
somehow to
not allow any TSO (IKJEFT01) program run authorized. Has anyone
tried
this with any success or do you have any suggestions to try?



Thanks

Scott













Roger Miller

Re: Running utilities in REXX
(in response to Scott Goodell)


DSNUTILB must be APF authorized. It runs in key 7, and OS/390 ships
a program properties table entry for it. If you look at the load module or
at the JCLIN, you'll see the AC(1) attribute, and we only put that on where
required.

DSNUTILB needs to have the protection key of 7 set in the TCBPKF
field in order to run. A customer sent several code fragments. They
are not tested or warranted, but might be useful to see what was
needed, with assembler code.

(See attached file: tsoutilb.src)(See attached file: tsoutil.src)

Roger Miller
Attachments

  • tsoutilb.src (6.6k)
  • tsoutil.src (6k)

Venkat (PCA) Pillay

Re: Running utilities in REXX
(in response to Roger Miller)
Very useful. Thanks

> -----Original Message-----
> From: Roger Miller [SMTP:[login to unmask email]
> Sent: Wednesday, December 22, 1999 10:32 AM
> To: [login to unmask email]
> Subject: Re: Running utilities in REXX
>
>
>
> DSNUTILB must be APF authorized. It runs in key 7, and OS/390 ships
> a program properties table entry for it. If you look at the load module
> or
> at the JCLIN, you'll see the AC(1) attribute, and we only put that on
> where
> required.
>
> DSNUTILB needs to have the protection key of 7 set in the TCBPKF
> field in order to run. A customer sent several code fragments. They
> are not tested or warranted, but might be useful to see what was
> needed, with assembler code.
>
> (See attached file: tsoutilb.src)(See attached file: tsoutil.src)
>
> Roger Miller << File: tsoutilb.src >> << File: tsoutil.src >>



Harvey Wachtel

Re: Running utilities in REXX
(in response to Venkat (PCA) Pillay)
Before I responded to Scott's original post, I looked at the directory
entry for our copy and found that it is, indeed, marked as APF
authorization. However, I don;t know which of its functions, if any,
require authorization. (For example of what I mean, I do know that
AMASPZAP can be run unauthorized as long as you don't try to zap a VTOC.)



"Pillay,
Venkat (PCA)" To: [login to unmask email]
<venkat_pilla cc:
[login to unmask email]> Subject: Re: Running utilities in REXX
Sent by: DB2
Data Base
Discussion
List
<[login to unmask email]
OM>


1999-12-22
09:10
Please
respond to
DB2 Data Base
Discussion
List





I always thought DSNUTILB does not need to e APF-authorized. I ran it
couple
of times thinking the steplib was not APF authorized.

I just want to confirm this - Are you sure DSNUTILB needs to be APF
authorized module ? (in that case may be my libraries were APF authorized
!!)
> -----Original Message-----
> From: Harvey Wachtel [SMTP:[login to unmask email]
> Sent: Tuesday, December 21, 1999 7:24 PM
> To: [login to unmask email]
> Subject: Re: Running utilities in REXX
>
> If you invoke an APF-authorized module through LINKMVS or ATTACHMVS, it
> will be run in an ordinary unauthorized environment and will be unable to
> perform any authorized functions. This is the same thing that would
> happen
> if you wrote an unauthorized assembler program and coded LINK EP=DSNUTILB
> or ATTACH EP=DSNUTILB. The APF authorization of the environment is
> established at the time the job-step program is invoked, based on the
> jobstep program's authorization level in the load library directory and
on
> the kashruth of the concatenation from which it is fetched.
>
> Some authorized programs (IEBCOPY and AMASPZAP to name two I know of) can
> perform some of their functions without authorization. Others assume
> authorization, plunge ahead, and soon die, usually on an ABENDS047 trying
> to execute the MODESET SVC.
>
> The only way I know of to create an authorized subenvironment in an
> unauthorized jobstep is through the TSO TMP (IKJEFT01 and alii) or
through
> the TSO Service Facility Routine (IKJEFTSR), which create a separate job
> step control block within the region. If the program you want to invoke
> is
> in (or can be added to) the list of authorized programs callable from
TSO,
> you should be able to call it this way.
>
> In summary, "ADDRESS LINKMVS 'DSNUTILB'" will result in unauthorized
> execuiton. "ADDRESS TSO 'CALL ''<library name>(DSNUTILB)''', if properly
> set up by your sysprogs, authorized. That's how we call IEBCOPY if we
> need
> it to be authorized (as it must be to condense a PDS).
>
>
>
> Scott Goodell
> <Scott.E.Goodell To: [login to unmask email]
> @WCOM.COM> cc:
> Sent by: DB2 Subject: Running
utilities
> in REXX
> Data Base
> Discussion List
> <[login to unmask email]>
>
>
> 1999-12-21 10:51
> Please respond
> to DB2 Data Base
> Discussion List
>
>
>
>
>
> I'm trying to run the runstats utility from a REXX exec on DB2 MVS by
> calling
> DSNUTILB.
>
> I keep getting the reason code 00E40002, which indicates an APF auth
> problem.
> I don't have any other libraries in my steplib than I do if I just
> run a
> plain runstats through DSNUTILB. I suspect our system is setup
> somehow to
> not allow any TSO (IKJEFT01) program run authorized. Has anyone
> tried
> this with any success or do you have any suggestions to try?
>
>
>
> Thanks
>
> Scott
>
>
>
> the DB2-L webpage at http://www.ryci.com/db2-l. The owners of the list
can
>
>
>
>
> the DB2-L webpage at http://www.ryci.com/db2-l. The owners of the list
can
>








Roger Miller

Re: Running utilities in REXX
(in response to Harvey Wachtel)
For DSNUTILB, all of the function requires APF authorization.

Roger



Phil Grainger

Re: Running utilities in REXX
(in response to Roger Miller)
Of course, depending why you were wanting to run your utility from REXX and,
depending on whether you are on V5 or earlier, you could always call the
utilities stored procedure from REXX..........

Phil Grainger
Director DB2 Operations, Europe
Computer Associates International


> -----Original Message-----
> From: Roger Miller [SMTP:[login to unmask email]
> Sent: Thursday, December 23, 1999 5:43 PM
> To: [login to unmask email]
> Subject: Re: Running utilities in REXX
>
> For DSNUTILB, all of the function requires APF authorization.
>
> Roger
>
>
>
>
>